Make sure you read the CIS Benchmark first.
To achieve CIS Level 2 Compliance attach the machine to Ubuntu Pro and follow the instructions on CIS setup.
after you followed the documentation you should audit the system:
sudo usg audit cis_level2_servercopy the report to host user home, make host the owner and download with:
scp -P <port> host@<hostname>:~/usg-report-<...>.html .Alternativelly this repository contains the script cis-level2-server.sh which automates fixing compliance issues without having a Ubuntu Server subscription. This is not recommended since you loose the audit capabilities. Running this script blind is a bad idea so make sure you understand what it does!
Additional SSH Configuration which is not part of CIS Level 2:
-
Open the /etc/ssh/sshd_config
-
Set the following: custom port:
Port <port_number>(assuming you're using key auth) disable passwort auth:
PasswordAuthentication no- restart sshd
systemctl restart sshdFollow this Digital Ocean Guide.
Open-Appsec is a ml base WAF. From openappsec.io:
Prevents OWASP-Top-10 and zero-day threats against Web App & APIs by using ML-based security without signature updates (e.g. blocked Log4Shell and Spring4Shell with no updates)
It integrates nicely with the local NGINX reverse proxy used by Dokku. To install the WAF follow this documentation.